# |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
1 |
CVE-2022-24728 |
79 |
|
XSS Bypass |
2022-03-16 |
2022-03-28 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4 prior to version 4.18.0. The vulnerability allows someone to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. This problem has been patched in version 4.18.0. There are currently no known workarounds. |
2 |
CVE-2021-41184 |
79 |
|
Exec Code XSS |
2021-10-26 |
2022-04-20 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `of` option of the `.position()` util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `of` option is now treated as a CSS selector. A workaround is to not accept the value of the `of` option from untrusted sources. |
3 |
CVE-2021-41183 |
79 |
|
Exec Code XSS |
2021-10-26 |
2022-04-20 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various `*Text` options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various `*Text` options are now always treated as pure text, not HTML. A workaround is to not accept the value of the `*Text` options from untrusted sources. |
4 |
CVE-2021-41182 |
79 |
|
Exec Code XSS |
2021-10-26 |
2022-04-20 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `altField` option of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `altField` option is now treated as a CSS selector. A workaround is to not accept the value of the `altField` option from untrusted sources. |
5 |
CVE-2021-41165 |
79 |
|
XSS Bypass |
2021-11-17 |
2022-04-20 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
CKEditor4 is an open source WYSIWYG HTML editor. In affected version a vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed comments HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0. |
6 |
CVE-2021-41164 |
79 |
|
XSS Bypass |
2021-11-17 |
2022-06-16 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
CKEditor4 is an open source WYSIWYG HTML editor. In affected versions a vulnerability has been discovered in the Advanced Content Filter (ACF) module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0. |
7 |
CVE-2021-33829 |
79 |
|
XSS |
2021-06-09 |
2021-11-23 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject executable JavaScript code through a crafted comment because --!> is mishandled. |
8 |
CVE-2020-13688 |
79 |
|
XSS |
2021-06-11 |
2021-06-21 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting vulnerability in l Drupal Core allows an attacker could leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability. This issue affects: Drupal Core 8.8.X versions prior to 8.8.10; 8.9.X versions prior to 8.9.6; 9.0.X versions prior to 9.0.6. |
9 |
CVE-2020-13673 |
352 |
|
XSS |
2022-02-11 |
2022-02-22 |
2.6 |
None |
Remote |
High |
Not required |
None |
Partial |
None |
The Entity Embed module provides a filter to allow embedding entities in content fields. In certain circumstances, the filter could allow an unprivileged user to inject HTML into a page when it is accessed by a trusted user with permission to embed entities. In some cases, this could lead to cross-site scripting. |
10 |
CVE-2020-13672 |
79 |
|
XSS |
2022-02-11 |
2022-04-12 |
2.6 |
None |
Remote |
High |
Not required |
None |
Partial |
None |
Cross-site Scripting (XSS) vulnerability in Drupal core's sanitization API fails to properly filter cross-site scripting under certain circumstances. This issue affects: Drupal Core 9.1.x versions prior to 9.1.7; 9.0.x versions prior to 9.0.12; 8.9.x versions prior to 8.9.14; 7.x versions prior to 7.80. |
11 |
CVE-2020-13669 |
79 |
|
XSS |
2022-02-11 |
2022-02-17 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site Scripting (XSS) vulnerability in ckeditor of Drupal Core allows attacker to inject XSS. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10.; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6. |
12 |
CVE-2020-13668 |
79 |
|
XSS Bypass |
2022-02-11 |
2022-02-23 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Access Bypass vulnerability in Drupal Core allows for an attacker to leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6. |
13 |
CVE-2020-11023 |
79 |
|
Exec Code XSS |
2020-04-29 |
2022-05-12 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0. |
14 |
CVE-2020-11022 |
79 |
|
Exec Code XSS |
2020-04-29 |
2022-05-12 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0. |
15 |
CVE-2020-9281 |
79 |
|
XSS |
2020-03-07 |
2022-02-21 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor 4.0 before 4.14 allows remote attackers to inject arbitrary web script through a crafted "protected" comment (with the cke_protected syntax). |
16 |
CVE-2019-11876 |
79 |
|
XSS |
2019-05-24 |
2019-05-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
In PrestaShop 1.7.5.2, the shop_country parameter in the install/index.php installation script/component is affected by Reflected XSS. Exploitation by a malicious actor requires the user to follow the initial stages of the setup (accepting terms and conditions) before executing the malicious link. |
17 |
CVE-2019-10909 |
79 |
|
XSS |
2019-05-16 |
2021-04-20 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not escaped, which can lead to XSS when user input is included. This is related to symfony/framework-bundle. |
18 |
CVE-2019-6341 |
79 |
|
XSS |
2019-03-26 |
2019-05-16 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
In Drupal 7 versions prior to 7.65; Drupal 8.6 versions prior to 8.6.13;Drupal 8.5 versions prior to 8.5.14. Under certain circumstances the File module/subsystem allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerability. |
19 |
CVE-2018-9861 |
79 |
|
XSS |
2018-04-19 |
2019-07-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in the Enhanced Image (aka image2) plugin for CKEditor (in versions 4.5.10 through 4.9.1; fixed in 4.9.2), as used in Drupal 8 before 8.4.7 and 8.5.x before 8.5.2 and other products, allows remote attackers to inject arbitrary web script through a crafted IMG element. |
20 |
CVE-2017-6929 |
79 |
|
XSS |
2018-03-01 |
2018-03-21 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
A jQuery cross site scripting vulnerability is present when making Ajax requests to untrusted domains. This vulnerability is mitigated by the fact that it requires contributed or custom modules in order to exploit. For Drupal 8, this vulnerability was already fixed in Drupal 8.4.0 in the Drupal core upgrade to jQuery 3. For Drupal 7, it is fixed in the current release (Drupal 7.57) for jQuery 1.4.4 (the version that ships with Drupal 7 core) as well as for other newer versions of jQuery that might be used on the site, for example using the jQuery Update module. |
21 |
CVE-2017-6927 |
79 |
|
XSS |
2018-03-01 |
2018-03-22 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Drupal 8.4.x versions before 8.4.5 and Drupal 7.x versions before 7.57 has a Drupal.checkPlain() JavaScript function which is used to escape potentially dangerous text before outputting it to HTML (as JavaScript output does not typically go through Twig autoescaping). This function does not correctly handle all methods of injecting malicious HTML, leading to a cross-site scripting vulnerability under certain circumstances. The PHP functions which Drupal provides for HTML escaping are not affected. |
22 |
CVE-2016-7571 |
79 |
|
XSS |
2016-10-03 |
2016-10-04 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in Drupal 8.x before 8.1.10 allows remote attackers to inject arbitrary web script or HTML via vectors involving an HTTP exception. |
23 |
CVE-2015-6665 |
79 |
|
XSS |
2015-08-24 |
2016-12-24 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in the Ajax handler in Drupal 7.x before 7.39 and the Ctools module 6.x-1.x before 6.x-1.14 for Drupal allows remote attackers to inject arbitrary web script or HTML via vectors involving a whitelisted HTML element, possibly related to the "a" tag. |
24 |
CVE-2015-6658 |
79 |
|
XSS |
2015-08-24 |
2016-12-24 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in the Autocomplete system in Drupal 6.x before 6.37 and 7.x before 7.39 allows remote attackers to inject arbitrary web script or HTML via a crafted URL, related to uploading files. |
25 |
CVE-2014-8765 |
79 |
|
XSS |
2014-10-14 |
2014-10-22 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Multiple cross-site scripting (XSS) vulnerabilities in the Project Issue File Review module (PIFR) module 6.x-2.x before 6.x-2.17 for Drupal allow (1) remote attackers to inject arbitrary web script or HTML via a crafted patch, which triggers a PIFR client to test the patch and return the results to the PIFR_Server test results page or (2) remote authenticated users with the "manage PIFR environments" permission to inject arbitrary web script or HTML via vectors involving a PIFR_Server administrative page. |
26 |
CVE-2014-8748 |
79 |
|
XSS |
2014-10-13 |
2014-10-16 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in the Google Doubleclick for Publishers (DFP) module 7.x-1.x before 7.x-1.2 for Drupal allows remote authenticated users with the "administer dfp" permission to inject arbitrary web script or HTML via a slot name. |
27 |
CVE-2014-8747 |
79 |
|
XSS |
2014-10-13 |
2017-09-08 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in the Drupal Commons module 7.x-3.x before 7.x-3.9 for Drupal allows remote attackers to inject arbitrary web script or HTML via vectors related to content creation and activity stream messages. |
28 |
CVE-2014-8746 |
79 |
|
XSS |
2014-10-13 |
2017-09-08 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in the Skeleton theme 7.x-1.2 through 7.x-1.3 before 7.x-1.4, for Drupal allows remote authenticated users with the "administer themes" permission to inject arbitrary web script or HTML via vectors related to theme settings. |
29 |
CVE-2014-8745 |
79 |
|
XSS |
2014-10-13 |
2017-09-08 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in the Custom Search module 6.x-1.x before 6.x-1.13 and 7.x-1.x before 7.x-1.15 for Drupal allows remote authenticated users with the "administer taxonomy" permission to inject arbitrary web script or HTML via a taxonomy vocabulary label. |
30 |
CVE-2014-8744 |
79 |
|
XSS |
2014-10-13 |
2017-09-08 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in the Nivo Slider module 7.x-2.x before 7.x-1.11 for Drupal allows remote authenticated users with the "administer nivo slider" permission to inject arbitrary web script or HTML via an image title. |
31 |
CVE-2014-8743 |
79 |
|
XSS |
2014-10-13 |
2017-09-08 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
Multiple cross-site scripting (XSS) vulnerabilities in the Maestro module 7.x-1.x before 7.x-1.4 for Drupal allow remote authenticated users with certain permissions to inject arbitrary web script or HTML via a (1) Role or (2) Organic Group name. |
32 |
CVE-2014-8296 |
79 |
|
XSS |
2014-10-16 |
2017-09-08 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in the Modal Frame API module 6.x-1.x before 6.x-1.9 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
33 |
CVE-2014-8079 |
79 |
|
XSS |
2014-10-09 |
2017-09-08 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in the MAYO theme 7.x-1.x before 7.x-1.3 for Drupal allows remote authenticated users with the "administer themes" permission to inject arbitrary web script or HTML via vectors related to header background setting. |
34 |
CVE-2014-8078 |
79 |
|
XSS |
2014-10-09 |
2017-09-08 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in the Print (aka Printer, e-mail and PDF versions) module 6.x-1.x before 6.x-1.19, 7.x-1.x before 7.x-1.3, and 7.x-2.x before 7.x-2.0 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via vectors related to nodes. |
35 |
CVE-2014-8077 |
79 |
|
XSS |
2014-10-09 |
2017-09-08 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in the NewsFlash theme 6.x-1.x before 6.x-1.7 and 7.x-1.x before 7.x-2.5 for Drupal allows remote authenticated users with the "administer themes" permission to inject arbitrary web script or HTML via vectors related to font family CSS property. |
36 |
CVE-2014-8076 |
79 |
|
XSS |
2014-10-09 |
2017-09-08 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in the Professional theme 7.x before 7.x-2.04 for Drupal allows remote authenticated users with the "administer themes" permission to inject arbitrary web script or HTML via vectors related to custom copyright information. |
37 |
CVE-2014-8075 |
79 |
|
XSS |
2014-10-09 |
2017-09-08 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in the Tribune module 6.x-1.x and 7.x-3.x for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via a node title. |
38 |
CVE-2014-7980 |
79 |
|
XSS |
2014-10-08 |
2014-10-09 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
Multiple cross-site scripting (XSS) vulnerabilities in template.php in Zen theme 7.x-3.x before 7.x-3.3 and 7.x-5.x before 7.x-5.5 for Drupal allow remote authenticated users with the "administer themes" permission to inject arbitrary web script or HTML via the skip_link_text setting and unspecified other theme settings. |
39 |
CVE-2014-7979 |
79 |
|
XSS |
2014-10-08 |
2017-09-08 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in the SimpleCorp theme 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users with the "administer themes" permission to inject arbitrary web script or HTML via vectors related to theme settings. |
40 |
CVE-2014-7978 |
79 |
|
XSS |
2014-10-08 |
2017-09-08 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in the BlueMasters theme 7.x-2.x before 7.x-2.1 for Drupal allows remote authenticated users with the "administer themes" permission to inject arbitrary web script or HTML via vectors related to theme settings. |
41 |
CVE-2014-7870 |
79 |
|
XSS |
2014-10-06 |
2014-10-07 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in the Custom Search module 6.x-1.x before 6.x-1.12 and 7.x-1.x before 7.x-1.14 for Drupal allows remote authenticated users with the "administer custom search" permission to inject arbitrary web script or HTML via the "Label text" field to admin/config/search/custom_search/results. |
42 |
CVE-2014-7869 |
79 |
|
XSS |
2014-10-06 |
2014-10-07 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in the configuration UI in the Context Form Alteration module 7.x-1.x before 7.x-1.2 for Drupal allows remote authenticated users with the "administer contexts" permission to inject arbitrary web script or HTML via unspecified vectors. |
43 |
CVE-2014-5022 |
79 |
|
XSS |
2014-07-22 |
2014-07-22 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in the Ajax system in Drupal 7.x before 7.29 allows remote attackers to inject arbitrary web script or HTML via vectors involving forms with an Ajax-enabled textfield and a file field. |
44 |
CVE-2014-5021 |
79 |
|
XSS |
2014-07-22 |
2014-07-22 |
2.1 |
None |
Remote |
High |
??? |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in the Form API in Drupal 6.x before 6.32 and possibly 7.x before 7.29 allows remote authenticated users with the "administer taxonomy" permission to inject arbitrary web script or HTML via an option group label. |
45 |
CVE-2014-1607 |
79 |
|
XSS |
2014-01-26 |
2018-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
** DISPUTED ** Cross-site scripting (XSS) vulnerability in the EventCalendar module for Drupal 7.14 allows remote attackers to inject arbitrary web script or HTML via the year parameter to eventcalander/. NOTE: this issue has been disputed by the Drupal Security Team; it may be site-specific. If so, then this CVE will be REJECTed in the future. |
46 |
CVE-2013-6388 |
79 |
|
XSS |
2013-12-24 |
2014-01-04 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in the Color module in Drupal 7.x before 7.24 allows remote attackers to inject arbitrary web script or HTML via vectors related to CSS. |
47 |
CVE-2013-6387 |
79 |
|
XSS |
2013-12-24 |
2014-01-04 |
2.1 |
None |
Remote |
High |
??? |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in the Image module in Drupal 7.x before 7.24 allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via the description field. |
48 |
CVE-2013-0244 |
79 |
|
XSS |
2014-01-19 |
2014-03-08 |
2.6 |
None |
Remote |
High |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in Drupal 6.x before 6.28 and 7.x before 7.19, when running with older versions of jQuery that are vulnerable to CVE-2011-4969, allows remote attackers to inject arbitrary web script or HTML via vectors involving unspecified Javascript functions that are used to select DOM elements. |
49 |
CVE-2012-2078 |
79 |
|
XSS |
2019-11-21 |
2019-12-11 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in the Activity module 6.x-1.x for Drupal. |
50 |
CVE-2012-1646 |
79 |
|
XSS |
2012-09-25 |
2017-08-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Multiple cross-site scripting (XSS) vulnerabilities in the FAQ module 6.x-1.x before 6.x-1.13 and 7.x-1.x-rc1 for Drupal allow remote authenticated users to inject arbitrary web script or HTML via the (1) title parameter in faq.admin.inc or (2) detailed_question parameter in faq.module. |